[Samba] Samba 3.4.7 can't retrieve idmap infor from ldap

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Mar 21 15:40:42 MDT 2011 

Wireshark provided some better detail of traffic capturing.  The bind 
was OK with  either cn=Directory Manager or 
cn=proxyagent,ou=mydomain.com-  as long as not quoted.

The invalid DN responses were also generated if the ldap_base_dn  values 
were quote.

The following is wrong
     ...
     idmap alloc config:ldap_base_dn = "ou=alloc,ou=idmap,o=ssci.com"
     ...
     idmap config ENGINEERING:ldap_base_dn = 
"ou=engineering,ou=idmap,o=ssci.com"


The following is OK (ie. no bind errors)

     ...
     idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=ssci.com
     ...
     idmap config ENGINEERING:ldap_base_dn = 
ou=engineering,ou=idmap,o=ssci.com


So LDAP authentication seems OK.  Although log.winbind still shows 
lookup errors (

-------------------------------------------------------------------------------------------------------------------
[2011/03/21 16:51:22,  1] winbindd/winbindd_user.c:97(winbindd_fill_pwent)
   error getting user id for sid S-xxxxxxxxxxxxxx-1217
[2011/03/21 16:51:22,  1] winbindd/winbindd_user.c:856(winbindd_getpwent)
   could not lookup domain user rsmith

[2011/03/21 16:51:22,  1] winbindd/winbindd_user.c:856(winbindd_getpwent)
   could not lookup domain user jsmith

(In the examble above there is an idmap entry in LDAP for jsmith but not 
rsmith.)

-------------------------------------------------------------------------------------------------------------------


The "wbinfo --allocate-uid" command does work-

             # wbinfo --allocate-uid
             New uid: 30778
             # wbinfo --allocate-uid
             New uid: 30779

the uidNumber parameter in ou=alloc is incremented -  it now shows 30780.

But I can not manually set a uid mapping:

             #wbinfo --set-uid-mapping 123,S-xxxxxxxxxxxxxx-1217
             Could not create or modify uid to sid mapping

             #wbinfo --set-uid-mapping 30779,S-xxxxxxxxxxxxxx-1217
             Could not create or modify uid to sid mapping




The wbinfo --set-uid-mapping command DOES work on the PDC.         The 
member server just doesn't seem to read the information properly.

On 03/21/2011 04:17 PM, Gaiseric Vandal wrote:
> Linux "unix" authentication uses a proxyagent account.     There is no 
> particular reason that Samba should use this account.
>
> However, to rule out the spaces and quotes being an issue, I updated 
> the smb.conf on this machine (Fedora Core 11 linux member server) to 
> use the  cn=proxyagent,ou=mydomain.com  account.     The account has 
> sufficient privs to read existing LDAP  entries, even if it can't 
> create new ones.
>
> If I quote it, I get the following error:
>
>       get_credentials: Unable to fetch auth credentials for 
> "cn=proxyagent,ou=profile,o=ssci.com"
>
> If I don't quote it, I don't get credential error messages.  So on 
> FC11 Linux Member servers running Samba 3.4.7,  the ldap user in 
> smb.conf should be unquoted, not have spaces, and be in the same ldap 
> suffix as everything else.
>
> But I still get the following error
>
>         [2011/03/21 15:53:06,  3] 
> winbindd/idmap_ldap.c:1248(idmap_ldap_sids_to_unixids)
>           Failure looking up sids (Invalid DN syntax)
>
> Since I have 3 LDAP servers (in replication) I just updated smb.conf 
> to use one ldap server while having /etc/ldap.conf (and 
> /etc/openldap/ldap.conf)  use another one.  That way  when I watch 
> ldap traffic between this machine and an LDAP server I can distiguish 
> between traffic related to unix accounts and that related to samba idmap.
>
>
> I don't see any relevant ldap server error or access logs.  snoop 
> (packet capture) does show
>
> sambamember1 -> ldapserver1 LDAP C port=59073 Search Request 
> neverDerefAliases
> ldapserver1 -> sambamember1 LDAP R port=59073 Search ResDone Invalid 
> DN Syntax
> sambamember1 -> ldapserver1 LDAP C port=59073
>
>
>
>
>
>
> On 03/21/2011 12:37 PM, Ayman Tahboub wrote:
>> hiya,
>>
>> that sound as reasonable  to me, perhaps due to the while space
>>
>> it might be safer to quote the entry,,
>>
>> on the other side what are you seeing under the Access and Errors 
>> logs for DS?
>>
>> are you seeing the actual bind coming in?
>>
>> on the FC machine I presume you are running over proxyagent?
>>
>> hope it helps
>>
>> /ayman
>>
>>
>> -----Original Message----- From: Gaiseric Vandal
>> Sent: Monday, March 21, 2011 16:21
>> To: Ayman Tahboub ; Samba
>> Subject: Re: [Samba] Samba 3.4.7 can't retrieve idmap infor from ldap
>>
>> I tried with and without the double quotes.
>>
>> the following commands do work in linux  (it will prompt me for the pw.)
>>
>>     ldapserach -D "cn=Directory Manager" -b "" objectclass=*  -x -W
>>     ldapsearch -D "cn=admin,cn=Administrators,cn=config" -h spooky -b
>> ""  -x -W
>>
>> Not sure in smb.conf whether I should ever quote the ldap_user_dn
>> parameter.  Maybe it should be quoted if it is an absolute vs relative
>> entry?
>>
>>
>>
>>
>>
>>
>> On 03/21/2011 11:34 AM, Ayman Tahboub wrote:
>>> hiya Gaiseric,
>>>
>>> one quick note against your binding DN, I think you
>>> its complaining about having double quotations ""CN=Directory Manager""
>>>
>>> one the other side, you verified binding via normal LDAPSEARCH 
>>> command ,
>>>
>>> as in ldapserach -D"CN=directory manager" -b "" objectclass=* ?
>>>
>>> hope it helps
>>>
>>> /ayman
>>>
>>>
>>> -----Original Message----- From: Gaiseric Vandal Sent: Thursday, 
>>> March 17, 2011 20:12 To: Samba Subject: [Samba] Samba 3.4.7 can't 
>>> retrieve idmap infor from ldap
>>> I am running Samba 3.4.7on Fedora Core 11 Linux.  This is a domain 
>>> member.
>>>
>>> My PDC is Samba 3.4.9 on Solaris 10.  I have LDAP as a backend 
>>> (Sun/Oracle Directory Server 6.)    I have an OU for user accounts, 
>>> and an OU for idmap entries.  The PDC has already populated some 
>>> idmap entries.
>>>
>>> An idmap entry looks like
>>>
>>>
>>>
>>> dn: sambaSID=S-1-5-21-xxxxxxxxxxxxxxx-1121,ou=mydomain,ou 
>>> =idmap,o=mycomany.com
>>> objectClass: sambaIdmapEntry
>>> objectClass: sambaSidEntry
>>> uidNumber: 176
>>> sambaSID: S-1-5-21-xxxxxxxxxxxxxxx-1121
>>>
>>> The member servers can be read only
>>>
>>>
>>> In the member server, smb.conf has the following entries
>>>
>>> idmap config MYDOMAIN:backend = ldap
>>> idmap config MYDOMAIN:ldap_url = ldap://pdc.mycompany.com
>>> idmap config MYDOMAIN:readonly = yes
>>> idmap config MYDOMAIN:default=no
>>> idmap config MYDOMAIN:ldap_base_dn = 
>>> "ou=mydomain,ou=idmap,o=mycompany.com"
>>> #idmap config MYDOMAIN:ldap_user_dn = cn=Directory Manager
>>> #idmap config MYDOMAIN:ldap_user_dn = 
>>> cn=admin,cn=Administrators,cn=config
>>> idmap config MYDOMAIN:ldap_user_dn = 
>>> uid=jsmith,ou=people,o=mycompany.com
>>> idmap config MYDOMAIN:range = 70000-79999
>>> idmap config MYDOMAIN:uid = 100 -79999
>>> idmap config MYDOMAIN:gid = 100 -79999
>>>
>>>
>>>
>>>
>>>
>>> On this machine (FC11 member server), when I run "getent passwd" 
>>> command, log.winbind shows
>>>
>>>
>>>   failed to bind to server ldap://pdc.mycompany.com with 
>>> dn=""cn=Directory Manager"" Error: Invalid DN syntax
>>>       Invalid DN
>>>
>>> On gentent passwd, winbind.log shows
>>>
>>>  lib/smbldap.c:890(smbldap_open_connection)
>>>   smbldap_open_connection: connection opened
>>> lib/smbldap.c:1101(smbldap_connect_system)
>>>   ldap_connect_system: successful connection to the LDAP server
>>> winbindd/idmap_ldap.c:1248(idmap_ldap_sids_to_unixids)
>>>   Failure looking up sids (Invalid DN syntax)
>>>
>>>
>>>
>>> If there is NOT an idmap entry already for the user, I get 
>>> winbind.log entries like:
>>>
>>> [2011/03/17 12:52:48,  1] 
>>> winbindd/winbindd_user.c:97(winbindd_fill_pwent)
>>>   error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1083
>>> [2011/03/17 12:52:48,  1] 
>>> winbindd/winbindd_user.c:856(winbindd_getpwent)
>>>   could not lookup domain user jkerry
>>>
>>> [2011/03/17 12:52:48,  1] 
>>> winbindd/winbindd_user.c:97(winbindd_fill_pwent)
>>>   error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1044
>>> [2011/03/17 12:52:48,  1] 
>>> winbindd/winbindd_user.c:856(winbindd_getpwent)
>>>   could not lookup domain user jmcain
>>>
>>> It looks like it tried to locate a record via user name or sid.
>>>
>>> If there is an idmap entry already for the use I only
>>>
>>>
>>> [2011/03/17 12:52:48,  1] 
>>> winbindd/winbindd_user.c:856(winbindd_getpwent)
>>>   could not lookup domain user jsmith
>>>
>>>
>>> So the samba member server is connecting to the LDAP server and 
>>> retrieving some LDAP information.  But it seems that the LDAP info 
>>> is NOT formatted as expected (thus the Invalid DN Syntax errors.)
>>>
>>> The PDC was initially Samba 3.0.x, and I am guessing that the LDAP 
>>> IDMAP syntax changed between 3.0.x and 3.4.x,
>>>
>>> I would appreciate advice on this.
>>>
>>> Thanks
>>>
>>>
>>>
>>>
>>
>

More information about the samba mailing list